cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1354
Views
0
Helpful
2
Replies

contractors and employees access of internal web site using clientless ssl vpn.

Peter Tran
Level 1
Level 1

We have a clientless SSL VPN web page setup that allow employees and contractors to login and view internal web page.  I was ask if possible to separate employees and contractors from accessing internal web page.  The internal web page does not have users authentication.  They would like to see if it's possible that employees traffic get proxy behind INSIDE interface IP of ASA, and contractor traffic get proxy behind different IP.  So, the internal web page can check for IP of contractor and only grant them access to view certain web page but not all pages.

1 Accepted Solution

Accepted Solutions

Diego Lopez
Level 1
Level 1

Hello,

Creating a group policy for each user group will be a good option you can also use DAP to assign a web ACL to the user that is connecting to the clientless portal, you can use Cisco, LDAP or Radius attributes to associate the DAP to the user. For example if you are using LDAP you can create 2 separate groups there for employees and contractors and based on the LDAP group membership of the user they will be assigned with the specific web acl that you configured based on their access restrictions.

You can follow this link to configure a web acl:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/asdm63/configuration_guide/config/acl_webtype.html#wp1100532

Once the ACL is ready you can follow this guide to setup the DAP: "check figure10 for web acls"

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/108000-dap-deploy-guide.html#intro

Thanks, please rate!.

View solution in original post

2 Replies 2

Dinesh Moudgil
Cisco Employee
Cisco Employee

The way clientless SSL VPN is ASA will always proxy the client request on the interface the where the destined resource is located.

If it suits you, you can have either employees or contractors go for anyconnect client based solution.
Else create different group-policy for the contractors and then create specific bookmarks for them which they are authorized to access and then disable the URL link so that they can't access anything other than that.
Check this section "Observing Clientless SSL VPN Security Precautions" in this document :

"http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/webvpn.html#wp999589"

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Diego Lopez
Level 1
Level 1

Hello,

Creating a group policy for each user group will be a good option you can also use DAP to assign a web ACL to the user that is connecting to the clientless portal, you can use Cisco, LDAP or Radius attributes to associate the DAP to the user. For example if you are using LDAP you can create 2 separate groups there for employees and contractors and based on the LDAP group membership of the user they will be assigned with the specific web acl that you configured based on their access restrictions.

You can follow this link to configure a web acl:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/asdm63/configuration_guide/config/acl_webtype.html#wp1100532

Once the ACL is ready you can follow this guide to setup the DAP: "check figure10 for web acls"

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/108000-dap-deploy-guide.html#intro

Thanks, please rate!.